SOCWarden

How SOCWarden Works

A security ingestion engine. 15+ threat feeds and 9 OSINT APIs. Real-time risk scoring. All from a single POST /v1/events call.

Start FreeRead the Docs

Concept

Think of it like your home security

Your firewall is the front door lock. SOCWarden is the motion detector, the camera system and the alarm, watching everything that happens inside.

The Perimeter (WAF, Cloudflare)

What you already have

Your WAF and firewall block known-bad traffic at the door. Rate limiting, IP blocking, bot filtering. Essential, but it only sees the perimeter.

Inside: SOCWarden

What gets through the perimeter

SOCWarden watches what happens after traffic reaches your application. Login failures from Tor nodes, impossible travel, credential spraying and privilege escalation. All detected and scored in real time.

The invisible work. What happens after you call the API
Layer 1: Realtime
MaxMind GeoIP lookup
User-Agent parsing
Tor / VPN / proxy detection
Request anomaly scan
<1ms in-process
Layer 2: Threat Intelligence
15 threat feed match
260k+ threat indicators
CIDR GiST indexing
Behavioral detection
<10ms single query
Layer 3: Async OSINT
AbuseIPDB confidence
GreyNoise / Shodan InternetDB
Pulsedive / HIBP / WHOIS
LLM classification
Fire-and-forget

Getting started

Up and running in 2 minutes

One SDK install. One function call. Full threat intelligence.

1

Create your free account

Sign up at app.socwarden.com. No credit card required. You get an API key instantly.

2

Install the SDK and add your API key

Works with Laravel, Node.js, Python, Go, Browser or the raw HTTP API. Each SDK auto-collects IP, user agent and request context.

Terminal
# Laravel
composer require soc-warden/laravel-sdk

# Node.js
npm install @socwarden/node

# Python
pip install socwarden

# Go
go get github.com/soc-warden/go-sdk
3

Place API calls at the right spots in your app

Track security-relevant events: logins, admin actions, API key changes, password resets. Use structured event types like auth.login.success.

AuthController.php
use SOCWarden\Facades\SOCWarden;

// After a login attempt
SOCWarden::track(
    event: 'auth.login.success',
    actor: $user,
);

// After an admin action (fluent builder)
SOCWarden::event('admin.settings.updated')
    ->actor($admin)
    ->meta('setting', 'billing')
    ->send();

// After a sensitive operation
SOCWarden::track(
    event: 'data.exported',
    actor: $user,
    resource: 'customers',
    metadata: ['format' => 'csv', 'rows' => 15000],
);
4

SOCWarden enriches what happens inside your app

Every event is asynchronously enriched with GeoIP, 15+ threat feeds, 9 OSINT APIs, behavioral detection, risk scoring and MITRE ATT&CK mapping. Your app never waits.

5

Get alerted the moment something suspicious happens

Alerts fire via Email, Telegram, Slack, Discord, PagerDuty or webhook. Smart grouping and deduplication reduce noise. Each alert includes LLM-generated summaries explaining what happened and why.

Risk scoring

Composite score: 0-100

Every signal adds to the composite risk score. Threat level: 0-24 (low), 25-49 (medium), 50-74 (high), 75-100 (critical).

Risk Signal Examples
auth.login.failure (base)+10
Tor exit node match+40
Spamhaus DROP match+50
Brute force (5 in 5m)+25
Impossible travel detected+50
AbuseIPDB >90% confidence+30
VPN detected+10
New country (first time)+20
Sanctioned country+40
SQLi payload detected+20

Server agent

One sensor is not enough

Application events cover your code. The SOCWarden agent covers your infrastructure: SSH access, file changes, process execution and Docker events. All shipping to the same API.

SSH Monitoring

Tracks all SSH login attempts, successful and failed. Detects root login, key-based vs password auth.

File Integrity

Monitors critical paths (/etc/passwd, /etc/shadow, config files) for unauthorized modifications.

Process Monitoring

Detects new processes, privilege escalation and suspicious binaries like cryptominers or reverse shells.

Docker Events

Watches container lifecycle, including starts, stops, exec commands and volume mounts. Detects container escape attempts.

Starter: 2 agents|Pro: 10 agents + Docker|Business: Unlimited

Detection

What does SOCWarden actually detect?

21 behavioral, sequence, and kill-chain detectors, plus real-time threat feed matching. Every detection is tagged with MITRE ATT&CK techniques.

Brute Force

T1110.001

5+ failed login attempts within 5 minutes by actor or IP. Catches password guessing and automated credential attacks.

Impossible Travel

T1078

Logins from locations that would require >800 km/h travel speed. Haversine distance calculation between consecutive logins.

Credential Spray

T1110.003

Same failure pattern across 10+ distinct actors from the same /24 subnet. Catches distributed password spraying campaigns.

Geo-Anomaly

T1078.004

First login from a new country or a sanctioned country. Tracks per-actor country history over a 14-day rolling window.

Session Anomaly

T1563

3+ concurrent IPs on one session, or session created + role change within 5 minutes. Detects session hijacking.

Time-of-Day Baseline

T1078

14-day rolling baseline of per-actor login hours. Admin actions outside normal hours add +10 risk. Catches off-hours compromise.

Ready to add SOCWarden to your app?

Free tier. No credit card. Full threat intelligence from day one.

Start FreeRead the Docs